|
Quote:
When you give the information from trc or log a file that inform their address. |
yes ... yes . it is VMware problem .
olly fail - maybe out of memory - I try it on Vista -My OS- without Vmware . it reach to 100 % and found all reference . then olly hang . |
now it not work as well .
it reach 21.5% then hange . dose OS affect on this plugin. can u share ur olly which u make the tests on ? Thanks |
Use clean WinXp SP3 or VMWare with WinXP SP3 then problems should not be.
Some options of assembler Olly influence quality of a code and analysis VMSweeper. Look the configuration on which the plugin was created and tested. Options which result in error at analysis/decompiling of a code are selected. [Settings] IDEAL disassembling mode=0 Disassemble in lowercase=0 Separate arguments with TAB=0 Extra space between arguments=0 Show default segments=1 Always show memory size=1 NEAR jump modifiers=0 Show local module names=1 Show symbolic addresses=0 Use short form of string commands=0 Use RET instead of RETN=0 SSE size decoding mode=0 Size sensitive mnemonics=1 Top of FPU stack=1 Decode registers for any IP=0 Automatically select register type=0 Decode SSE registers=0 |
Quote:
|
Ok VAM .. so my Olly still life and not aged :p .
so I have to wait for next version ... pls I can't wait -longing to see the new one - :rolleyes: ....when it will be :D . many thanks for ur nice work |
New version VMSweeper v1.4 beta 10
Added: 1. Improved layout is completely erased IAT. 2. Improved detection of the names of API functions. 3. Resizing Virtual Segment intermediate code (VMS size option in the ini file). 4. Tracking the memory contents and the entire stack to create intermediate code. 5. Improved devirtualization conditional jumps. 6. Code analyzer detects two types of code: a clean and obfuscate. They were previously in the group "Cancelled". 7. Devirtualization instruction sub esp without flags. 8. Processing of the entry to VM type call xx (can decompile any intermediate input in the VM). 9. Automatic mode code analysis VM. Go to this mode on demand after the first restart the application. Code obtained in this mode can be worse than the code obtained in manual mode (Ctrl+F2 -> [F9] -> Shift+F1), but allows you to quickly check whether the decompiled code. In this mode works only static code analyzer. Fixed: 1. Processing of transit (blank) out of the VM. 2. Fixed exception when restoring compliance VM registers and CPU. 3. Determining the number of arguments obfuscate function. 4. Pikode can be detected in any segment of the analyzed application. |
this tool doesnt open in win7 or compilation wrong.
please fix. thank. |
Quote:
Use clean WinXp SP3 or VMWare with WinXP SP3 then problems should not be. |
2 Attachment(s)
Hi Vam ....
I have this problem now !!! pls can u check it again :rolleyes: Thanks |
1. Sweeper not yet able to fully restore multisection IAT with a partially erased sections where functions one API library are located in different sections.
2. Tell me a range of segments of code and the VM and address of the decoded function on which this error occurs. |
I will provide u with details when I go back to home .
and I will make a small flash movie . Thanks for support ... great work from the best Coder . |
@Vam :Check ur PM
I think when it need to rebuild the IAt it fail ... |
At OEP 42E441 perform decoding (F1) makes no sense, there is no VM. Decoding functions may only address the status of Postponed. In your program, three of these addresses and they are decompiled successfully (until the section a12 final).
For the beginning we decompile the test example, if before it did, and learn ways to manage Sweeper. Processing of import will be done in the next version Sweeper. |
it support themida vm?
|
For Themida look here (but only CISC VM):
http://forum.exetools.com/showpost.php?p=72196&postcount=5 |
wait for update ������
|
beta 11
http://rghost.net/6720721
Added: 1) Handlers of FPU instructions fclex, fldcw, fstcw, fldz, fld1, fistp 2) Window with code segments input and VM has 3 buttons now: - Analyze - Start analysis of VM entries and import restoration. - Accept - Apply entered values of segments without analysis - Cancel - Exit without saving any changes 3) Display API names in p-code maps, relocations and function callings 4) Devirtualization of add esp, xx instruction 5) Improved restoration of partially wiped IAT 6) Import recovery such as: push reg; call vm -> call [api]. 7) push/pop reg; call vm -> mov reg,[api]. 8) Improved recognition of VM entries 9) Improved detection of VM loop Fixed: 1) Code conversion: pop xx; jmp xx into retn. 2) Restructure of intermediate code. Blocks intersections. 3) Installed several exceptions during code devirtualization. 4) Removal of anti-dump code. Translated from Russian ����ҧѧӧݧ֧ߧ�: 1. ���ҧ�ѧҧ���ڧܧ� FPU �ڧߧ����ܧ�ڧ�: fclex, fldcw, fstcw, fldz, fld1, fistp. 2. ���ܧߧ� �ӧӧ�է� �٧ߧѧ�֧ߧڧ� ��֧ԧާ֧ߧ��� �ܧ�է� �� ���� ��֧�֧�� �ڧާ֧֧� ���� �ܧߧ��ܧ�: - Analyze - �ߧѧ�ѧ�� �ѧߧѧݧڧ� ����֧� �ӧ��է� �� ���� �� �ӧ����ѧߧ�ӧݧ֧ߧڧ� �ڧާ�����. - Accept - ���ڧߧ��� �ӧӧ֧է֧ߧߧ��� �٧ߧѧ�֧ߧڧ� ��֧ԧާ֧ߧ��� �ҧ֧� �ӧ����ݧߧ֧ߧڧ� �ѧߧѧݧڧ٧�. - Cancel - �ӧ��ۧ�� �ߧ� ����ڧ٧ӧ�է� �ߧڧܧѧܧڧ� �ڧ٧ާ֧ߧ֧ߧڧ�. 3. �����ӧ�� �ڧާ֧� API ���ߧܧ�ڧ� �� �ܧѧ��ѧ� ��ڧܧ�է�, ��֧ݧ�ܧ�� �� �ӧ��٧�ӧ�� ���ߧܧ�ڧ�. 4. ���֧ӧڧ���ѧݧڧ٧ѧ�ڧ� �ڧߧ����ܧ�ڧ� add esp, xx 5. ���ݧ���֧ߧ� �ӧ����ѧߧ�ӧݧ֧ߧڧ� ��ѧ��ڧ�ߧ� �٧ѧ�֧���� IAT. 6. �������ѧߧ�ӧݧ֧ߧڧ� �ڧާ����� ��ڧ��: push reg; call vm -> call [api]. 7. �������ѧߧ�ӧݧ֧ߧڧ� �ڧާ����� ��ڧ��: push/pop reg; call vm -> mov reg,[api]. 8. ���ݧ���֧ߧ� ��ѧ���٧ߧѧӧѧߧڧ� ����֧� �ӧ��է� �� ����. 9. ���ݧ���֧ߧ� ��ѧ���٧ߧѧӧѧߧڧ� ��ڧܧݧ� ����. ������ѧӧݧ֧ߧ�: 1. ����֧�ҧ�ѧ٧�ӧѧߧڧ� �ܧ�է� pop xx; jmp xx �� retn. 2. ���֧����ܧ���ڧ٧ѧ�ڧ� ����ާܧ�է�. ���֧�֧�֧�֧ߧڧ� �ҧݧ�ܧ��. 3. ������ѧߧ֧ߧ� �ߧ֧�ܧ�ݧ�ܧ� �ڧ�ܧݧ��֧ߧڧ� ���� �է֧ӧڧ���ѧݧڧ٧ѧ�ڧ� �ܧ�է�. 4. ���էѧݧ֧ߧڧ� �ܧ�է� �ѧߧ�ڧէѧާ��. PS: Vam correct me if I translated it incorrectly and you meant something else :) |
antidebuger function can only be used in windowsxp system
|
Quote:
|
There is update for this tool
Download link: Code:
http://rghost.ru/11532971Code:
http://www.exelab.ru/f/index.php?action=vthread&forum=13&topic=15906&page=10#14Code:
������ѧӧݧ֧ߧ�: |
Hope of a tut on vms plug to use and set
|
Quote:
Read a topic, decompile a test example, all is detail written, even from video... Do not forget to read also chm help file. |
thank vam:p:p:p
|
good,great tools.
|
Dear Vam,
I used the beta12,the iat of my application recovered successfully.But none of the Ponsponed can be decoded,such as 0x00411dfe. When I tried to decode 0x0040DE5F where was labeled False code VM entry point,there came an error, "Extra input after operand in push dword ptr ds:[0x0043905c]+0x7ddb8235+0x48899ea0". PS:I can send you my application,which the oep is 0x0041E7EB at your wish. |
1 Attachment(s)
VMSweeper v1.4 beta 13
Quote:
|
1 Attachment(s)
New version VMSweeper v1.4 beta 14
Quote:
|
1 Attachment(s)
03.11.2011 VMSweeper 1.4 beta 15
Posted: 1. CodeVirtualizer: Improved detection of primitive CMC. 2. CodeVirtualizer: Added handling setne. 3. CodeVirtualizer: Improved detection of upper byte registers (ah, ch, dh, bh). 4. VmProtect: Implemented processing bias VM code (relocation VM code). 5. VmProtect: Handlers FPU instructions fst, fisub. Fixed: 1. CodeVirtualizer: Inserting a direct asm instruction in the source code. 2. VmProtect: Moving operator changes the flags to show their flag. 3. VmProtect: Restoration of imports, sometimes instead call [api] restored jmp [api]. |
very nice tools
|
Thank you for this tool, guys!
|
For VMSweeper 1.4 beta 15, it still can't process some CodeVirtulizer VM.
Such as the vmcode in EmEditor. |
cnbragon
from what time EmEditor (by Emurasoft?) uses vm? |
Quote:
|
I can't donwload file Attached..:(. Please upload from Mediafire for everybody..
Thank much :) |
I try to aply to this http://forum.exetools.com/showthread.php?t=13884 could anybody do more?
|
please make a tutorial applying VMSweeper
|
Read a WMSwweeper.chm or look a video in the beginning of this topic
|
New: VMSweeper v1.5 beta 0
http://rghost.ru/37543927 |
1 Attachment(s)
VMSweeper 1.5 Beta 0 (12.04.2012)
Quote:
http://www.mediafire.com/?6a6vrjya141cqyg |
| All times are GMT +8. The time now is 18:37. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX